Hi Indunil, Could you please confirm that the the CRL and OCSP validators should be turned on/off from the registry resource after an initial server startup, instead of making changes in certificate-validation.xml file?
Thanks, TharinduE On Fri, Jan 18, 2019 at 3:45 PM Piraveena Paralogarajah <[email protected]> wrote: > Hi, > > I'm working on configuring x509Certificate Authenticator using WSO2 IS > version 5.8.0. I did all configurations as mentioned in the doc [1] > <https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator>, > and I got the error as given below. > > org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: > Validator: OCSPValidatorcouldn't validate the revocation status of > certificate with serial num: 14756929408771586256 > > at > org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123) > > at > org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63) > > at > org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257) > > at > org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155) > > 2019-01-17 11:49:05,175] INFO > {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} > - X509 Certificate validation with CRLValidator > > [2019-01-17 11:49:05,176] DEBUG > {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} > - Certificate validation is not successful. > > org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: > Validator: CRLValidatorcouldn't validate the revocation status of > certificate with serial num: 14756929408771586256 > > at > org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123) > > at > org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63) > > at > org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257) > > at > org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155) > > > So I disabled CRLValidator, and OCSPValidator > in certificate-validation.xml file in ${IS_HOME}/repository/conf/security/ > , but the changes were not getting updated. According to the > implementation in RevocationValidationManagerImpl.java in > identity-x509-revocation extension, the CRL and OCSP validators are read > from the registry repository/security/certificate/validator. This makes > quite confusion since we need to modify the certificate-validation.xml as > well as the registry to disable CRLValidator, and OCSPValidator. > > > The doc on Configuring x509Certificate Authenticator [1] > <https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator> > is not referring about the changes need to be done in configuration file and > the registry to disable CRL and OCSP as well. > > > [1] > https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator > > Regards, > Piraveena > > *Piraveena Paralogarajah* > Software Engineer | WSO2 Inc. > *(m)* +94776099594 | *(e)* [email protected] > > -- > You received this message because you are subscribed to the Google Groups > "WSO2 Documentation Group" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/a/wso2.com/d/optout. > -- Tharindu Edirisinghe Associate Technical Lead | WSO2 Inc Platform Security Team Blog : http://tharindue.blogspot.com mobile : +94 775181586
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
